Preparing for CMMC

Preparing for CMMC

Last month, the U.S. Office of the Under Secretary of Defense for Acquisition and Sustainment released draft version 0.6 of the Cybersecurity Maturity Model Certification (CMMC) standards document.

Link: CMMC Draft v0.6 – 7 November 2019

This release includes some reductions in the total number of requirements and provides additional clarity on the standards for Level 1 compliance. For those small businesses either just getting started, or currently holding contracts that are not expected to include controlled unclassified information (CUI), CMMC Level 1 may be all you need. As I’ve noted before, the earlier that people, processes and technologies can be adapted to meet this compliance requirement, the smoother this transition will be. An added bonus is if you already meet this level of compliance, you may be able to schedule and executed your assessment before the mad rush in the summer of 2020.

Level 1 Requirements Based on Federal Acquisition Regulations

OUSDA&S has been consistent in asserting that level 1 will be attainable without breaking the bank. They’ve identified 15 requirements and procedures to meet this compliance standard. These 15 are extracted nearly verbatim from 48 CFR § 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems.

Link: 48 CFR § 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems

Fortunately for many, this contract clause is well-known and you’ve likely been operating under its requirements already. The 15 requirements and procedures are:

  1. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
  2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
  3. Verify and control/limit connections to and use of external information systems.
  4. Control information posted or processed on publicly accessible information systems.
  5. Identify information system users, processes acting on behalf of users, or devices.
  6. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
  7. Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
  8. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
  9. Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
  10. Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
  11. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
  12. Identify, report, and correct information and information system flaws in a timely manner.
  13. Provide protection from malicious code at appropriate locations within organizational information systems.
  14. Update malicious code protection mechanisms when new releases are available.
  15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

Federal Contract Information

In the v0.6 draft, protection of federal contract information (FCI) was noted as one of the driving factors requiring all DoD contractors to meet some level of compliance. Federal contract information is not a category of controlled unclassified information, at least it is not listed in the CUI Registry. However, the specific details of contract information may be restricted from public disclosure for various reasons. FCI is, in fact, called out in 48 CFR § 52.204-21 so this remains consistent between the Federal Acquisition Regulation and the CMMC.

Many Questions Remain Unanswered

This latest draft does help to clarify the requirements and procedures necessary to meet the CMMC standards and successfully undergo an assessment. There remain, however, some fundamental questions such as how long a certification is good for, how much assessments will cost and when they can be scheduled. Also, this draft v0.6 purposely left out further explanation on the levels 4-5, indicating these will be further refined prior to the next draft release.

The Time to Prepare is Now

As I’ve noted quite a few times, the longer we wait to achieve operational cybersecurity compliance with these standards, the more difficult and resource intensive the process will be. Consider that by the time your assessment is at hand, you not only want the controls, policies and procedures in place, but also for your organization to have had time to incorporate them into daily activities.

Dan bjorklund - cyber security specialist

Daniel Bjorklund


With over 30 years of experience, Daniel Bjorklund is a dedicated information security practitioner, mentor and innovator. He serves as a principal vCISO at Assured Bridge, helping to mature and guide compliance-as-a-service and managed security service provider operations. He is also active in the startup and entrepreneurial communities in the Augusta, GA area, helping set firm cybersecurity foundations for new companies and efforts.

Dan is a current CISSP and holds a Master of Science degree in Information Assurance and Security and a Bachelor of Science degree in Information Technology. When not hunched in front of a computer, Dan can often be found above 3000 feet avoiding highway traffic, flying his airplane as a licensed pilot. He and his wife enjoy outdoor activities, biking, fishing and sightseeing in the Southeastern United States.

Search our Blog
Subscribe to our Newsletter
We’ve got a lot of good info to share! Sign up for the Assured Bridge newsletter and receive tips on how to remain compliant with Federal CUI standards.